The alternative is to require security managers written in Java to do their own signing key pair secure storage instead of storing it in a bus attachment. As much as I’d like to think writers of security managers would be more careful, that’s going to be error-prone, and we’ve already committed to letting it be done this way in the C++ API.
The biggest part of this is adding to the C++ API. The level of effort is small (we just need some wrappers that call the XML converter and then call the Manifest object-taking version). I don’t see where this would require changes to existing code so regression risk should be zero. As I mentioned on the other thread, it may be possible to do this internally in the JNI without adding to the C++ API, but since we want to prefer APIs that use XML, having the Java API have an XML version of this API without the C++ API having one seems sloppy. The amount of work is about the same either way. From: George Tang [mailto:[email protected]] Sent: Tuesday, October 25, 2016 8:37 AM To: Josh Spain <[email protected]>; Kevin Kane <[email protected]> Cc: Noah Harlan <[email protected]>; allseen-core <[email protected]> Subject: Re: [Allseen-core] ER_PERMISSION_DENIED I classify this as a part of Security 2.0 functionality that isn't available on Java. My reasoning is since manifest isn't a datatype allowed on java and while there is a function in Permission configurator to sign a manifest datatype, there isn't one to sign a string manifest. I think this is low - medium effort. 8 hours not including a code review. If this isn't added, there isn't a very clear way to call SecurityApplicationProxy Reset, or StartManagement, or EndManagement. On Tue, Oct 25, 2016 at 10:02 AM, Josh Spain <[email protected]<mailto:[email protected]>> wrote: Thanks Noah, that's a good point. Based on the discussion I can't tell if there's a workaround or if part of Security 2.0 functionality on Java is absent. If it's the latter then we have to fix it, if it's the former then we need a compelling argument as Kevin said. @George, @Kevin, what is the level of effort and risk on this, and how important is it? Thanks, Josh [https://s3.amazonaws.com/ucwebapp.wisestamp.com/12898986-6b24-4785-b392-dfd3cd5cdd09/Affinegylogo201450px.format_png.resize_200x.png] Josh Spain Director of Engineering Affinegy, Inc. t.512-535-1700 x1006<tel:512-535-1700%20x1006> a. 1705 S Capital of Texas Hwy, Suite 310, Austin, TX 78746 USA Website<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Faffinegy.com&data=02%7C01%7Ckkane%40microsoft.com%7C3ad472f3678240c1ac1b08d3fcecd0c1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636130066449658564&sdata=sj8LGQKfKM6Ml3hzlKgp%2BqKlqQisL28O98TQoR%2FoG48%3D&reserved=0> Email<mailto:[email protected]> [https://s3.amazonaws.com/images.wisestamp.com/icons_32/linkedin.png]<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fin%2Fjoshspain&data=02%7C01%7Ckkane%40microsoft.com%7C3ad472f3678240c1ac1b08d3fcecd0c1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636130066449658564&sdata=UfbNQoCszycr8ONNL6guOukUML1jWTPSKWZ8MMNjTJg%3D&reserved=0> [https://s3.amazonaws.com/images.wisestamp.com/icons_32/twitter.png] <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftwitter.com%2Faffinegy&data=02%7C01%7Ckkane%40microsoft.com%7C3ad472f3678240c1ac1b08d3fcecd0c1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636130066449658564&sdata=zMX%2FNlUd%2Bq2BhimbJOyLP4Vqpu%2BMagPdB8QebcneTDo%3D&reserved=0> [https://s3.amazonaws.com/images.wisestamp.com/icons/twitter.png]Latest Tweet:<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FAffinegy&data=02%7C01%7Ckkane%40microsoft.com%7C3ad472f3678240c1ac1b08d3fcecd0c1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636130066449658564&sdata=pZxu7DBMrMRnmJpgcF%2FfIxQD%2BZp23VhbLwfoLb0mEIE%3D&reserved=0> The @LeEcoGlobal<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FLeEcoGlobal&data=02%7C01%7Ckkane%40microsoft.com%7C3ad472f3678240c1ac1b08d3fcecd0c1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636130066449658564&sdata=rpvRbaOEIwt6T4qKissdXi6Vic81CYYJ14BLUHKK8%2BE%3D&reserved=0> North America debut here - https://t.co/DGgEcFHxNY<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ft.co%2FDGgEcFHxNY&data=02%7C01%7Ckkane%40microsoft.com%7C3ad472f3678240c1ac1b08d3fcecd0c1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636130066449658564&sdata=HbD0F56VgUlfWu28BvZUQcjbpmBeCw3dxs%2F5NAjAcO0%3D&reserved=0>. Labeled #odd<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fodd&data=02%7C01%7Ckkane%40microsoft.com%7C3ad472f3678240c1ac1b08d3fcecd0c1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636130066449658564&sdata=6EchWGaebsj7hWwvMSSmR6cGS2pv6OKC32FTwBlrV%2F8%3D&reserved=0> by many sources, but #bold<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fbold&data=02%7C01%7Ckkane%40microsoft.com%7C3ad472f3678240c1ac1b08d3fcecd0c1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636130066449658564&sdata=mVfAkaq44ByYAT1pwVbSUVZQ4r2WsLABiFp3NUr8AIQ%3D&reserved=0> nonetheless.. Read More<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FAffinegy%2Fstatuses%2F790163224779853824&data=02%7C01%7Ckkane%40microsoft.com%7C3ad472f3678240c1ac1b08d3fcecd0c1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636130066449658564&sdata=e0YO%2F6XVcOW2alfIM3sDwOPN4oNCVA%2BZXzhn66CCRPo%3D&reserved=0> [https://s3.amazonaws.com/images.wisestamp.com/email-apps/twitter_button/twitter-white.png]<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FAffinegy&data=02%7C01%7Ckkane%40microsoft.com%7C3ad472f3678240c1ac1b08d3fcecd0c1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636130066449658564&sdata=pZxu7DBMrMRnmJpgcF%2FfIxQD%2BZp23VhbLwfoLb0mEIE%3D&reserved=0> On Mon, Oct 24, 2016 at 10:41 PM, Noah Harlan <[email protected]<mailto:[email protected]>> wrote: Fwiw: if it doesn't go in now then it won't ever be in the certified base implementation so it might be worth querying if never having it is preferable. 16.10 is the last certified base implementation. --------------------- Noah Harlan Sent from a portable device Typos are courtesy of big thumbs On Oct 24, 2016, at 5:07 PM, Kevin Kane via Allseen-core <[email protected]<mailto:[email protected]>> wrote: It’s an API change, which is no small thing. I think you have to argue the need for it is compelling enough to allow it at this late point in the release cycle. From: George Tang [mailto:[email protected]] Sent: Monday, October 24, 2016 12:49 PM To: Kevin Kane <[email protected]<mailto:[email protected]>> Cc: allseen-core <[email protected]<mailto:[email protected]>> Subject: RE: [Allseen-core] ER_PERMISSION_DENIED I'm fine with this. Would this be a problem since it's a code freeze? On Oct 24, 2016 1:48 PM, "Kevin Kane" <[email protected]<mailto:[email protected]>> wrote: Ah, that’s a good point. This may be an artifact of unit test code previously using bus attachments to sign certificates and manifests as a convenient way to generate and use public/private key pairs. The SecurityApplicationProxy methods are designed to work with XML strings, but they require providing the signing key as a parameter. I think you’ve identified a gap in the API. Personally I think it’s poor design for a security manager to use a bus attachment as a key container, but the convenience of doing so (as opposed to implementing some external storage method for keys) seems to be too compelling. The solution could be to add overloads to C++ PermissionConfigurator’s SignManifest method to allow it to operate on XML strings, the same way SecurityApplicationProxy’s do, and then exposing those through to the Java layer. We generally want to move to XML-using APIs. What do you think? From: George Tang [mailto:[email protected]<mailto:[email protected]>] Sent: Monday, October 24, 2016 11:45 AM To: Kevin Kane <[email protected]<mailto:[email protected]>> Cc: allseen-core <[email protected]<mailto:[email protected]>> Subject: Re: [Allseen-core] ER_PERMISSION_DENIED I didn't expose this function to the Java side, because that would expose the manifest datatype. There didn't seem to be a sign manifest for string. Is the solution exposing a java one specifically with a string manifest parameter, doing the conversions in the JNI layer, and returning a string? I have taken a look a XmlManifestConverter, and I don't it is public, so I don't think I would be able to use existing infrastructure to do this. On Mon, Oct 24, 2016 at 1:26 PM, Kevin Kane <[email protected]<mailto:[email protected]>> wrote: PermissionConfigurator also has a SignManifest method for this purpose. From: George Tang [mailto:[email protected]<mailto:[email protected]>] Sent: Monday, October 24, 2016 11:19 AM To: Kevin Kane <[email protected]<mailto:[email protected]>> Cc: allseen-core <[email protected]<mailto:[email protected]>> Subject: Re: [Allseen-core] ER_PERMISSION_DENIED When the certificates are signed with the generated private key instead of by PermissionConfigurator.sign from the bus attachment, calling claim will give me an ER_INVALID_CERTIFICATE. Since CredentialAccessor isn't public, the security manager sample shouldn't be able to get the bus private key either. I'm curious if the security manager uses the bus's permission configurators to sign the certificate. and how it gets the private key to sign the manifest. On Mon, Oct 24, 2016 at 12:37 PM, Kevin Kane <[email protected]<mailto:[email protected]>> wrote: The manifest needs to be signed with the same private key that signed the certificate. From: George Tang [mailto:[email protected]<mailto:[email protected]>] Sent: Monday, October 24, 2016 10:20 AM To: Kevin Kane <[email protected]<mailto:[email protected]>> Cc: allseen-core <[email protected]<mailto:[email protected]>> Subject: Re: [Allseen-core] ER_PERMISSION_DENIED After adding the SecureConnection call on the bus attachments, there is a SendManifests call. However, another error before the reset ER_PERMISSION_DENIED, manifest signature failed to verify. Since I am signing the manifests with a generated private key and not the bus's private key from credential accessor, are there any fields in the certificate that I need to change to the generated public key? Do I need to sign the certificates with the generated private key too instead of with the bus's permission configurator? I have attached the new log. Thanks, George On Mon, Oct 24, 2016 at 10:35 AM, Kevin Kane <[email protected]<mailto:[email protected]>> wrote: Is your test also calling SecureConnection(true) on the bus attachment after Claim so that the ECDSA session is established? Otherwise the manager bus will try to continue with the existing ECHDE_NULL session and the method calls will fail. From: George Tang [mailto:[email protected]<mailto:[email protected]>] Sent: Saturday, October 22, 2016 9:38 AM To: Kevin Kane <[email protected]<mailto:[email protected]>> Cc: allseen-core <[email protected]<mailto:[email protected]>> Subject: Re: [Allseen-core] ER_PERMISSION_DENIED Hi Kevin, The logs contain a call to installMembership on the manager bus. Are there any other reasons for not having a sendMemberships call? When writing these tests I could not use credential accessor to get the guid of the bus to set the IssuerCN, and I could not use it to get the bus privatekey to sign the manifest. So I generated a random private key and a random guid instead. Thanks, George On Fri, Oct 21, 2016 at 10:20 AM, Kevin Kane <[email protected]<mailto:[email protected]>> wrote: I don’t see any calls to SendMemberships in the trace. This suggests your security manager bus attachment hasn’t been provisioned with an admin group membership certificate, since later the PERMISSION_MGMT source shows the peer does not match against the ACL for WITH_MEMBERSHP, which should match. Can you make sure your setup generates and installs an admin group membership certificate onto the bus attachment from which you make the Reset call? From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of George Tang Sent: Thursday, October 20, 2016 9:09 PM To: allseen-core <[email protected]<mailto:[email protected]>> Subject: [Allseen-core] ER_PERMISSION_DENIED Hi all, I am getting this error ER_PERMISSION_DENIED, when calling reset in Java. I have a feeling that some value of CertificateX509 is not being set correctly, but I don't know which value. I have the logs for a successful call to reset from the core sample test SecurityClaimApplicationTest.cc<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2FSecurityClaimApplicationTest.cc&data=02%7C01%7Ckkane%40microsoft.com%7C3ad472f3678240c1ac1b08d3fcecd0c1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636130066449658564&sdata=NDFWqZ8LRt3lnbXLzl6HoLew8iQOv86qQVA%2FibFRhsM%3D&reserved=0> (testlog). I also have logs the call to reset from the Java bindings that fails (antlog). It would be great if someone experienced in security and certificates could take a look. Thanks, George _______________________________________________ Allseen-core mailing list [email protected]<mailto:[email protected]> https://lists.allseenalliance.org/mailman/listinfo/allseen-core<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.allseenalliance.org%2Fmailman%2Flistinfo%2Fallseen-core&data=02%7C01%7Ckkane%40microsoft.com%7C3ad472f3678240c1ac1b08d3fcecd0c1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636130066449658564&sdata=Z6VE82fswMDv0n4yLLuXuaSpL4BXRvK1SOyQaFjg3%2FQ%3D&reserved=0> _______________________________________________ Allseen-core mailing list [email protected]<mailto:[email protected]> https://lists.allseenalliance.org/mailman/listinfo/allseen-core<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.allseenalliance.org%2Fmailman%2Flistinfo%2Fallseen-core&data=02%7C01%7Ckkane%40microsoft.com%7C3ad472f3678240c1ac1b08d3fcecd0c1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636130066449668572&sdata=kGQWlX2lvdgNlay0Pkckf8adY21wrtxKiWmvKiwLHV8%3D&reserved=0> _______________________________________________ Allseen-core mailing list [email protected]<mailto:[email protected]> https://lists.allseenalliance.org/mailman/listinfo/allseen-core<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.allseenalliance.org%2Fmailman%2Flistinfo%2Fallseen-core&data=02%7C01%7Ckkane%40microsoft.com%7C3ad472f3678240c1ac1b08d3fcecd0c1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636130066449668572&sdata=kGQWlX2lvdgNlay0Pkckf8adY21wrtxKiWmvKiwLHV8%3D&reserved=0>
_______________________________________________ Allseen-core mailing list [email protected] https://lists.allseenalliance.org/mailman/listinfo/allseen-core
![https://s3.amazonaws.com/images.wisestamp.com/icons/twitter.png]Latest](https://s3.amazonaws.com/images.wisestamp.com/icons/twitter.png]Latest){kind=link}
